v1.18.9

copyparty/__version__.py

@@ -1,8 +1,8 @@
 # coding: utf-8
 
-VERSION = (1, 18, 8)
+VERSION = (1, 18, 9)
 CODENAME = "logtail"
-BUILD_DT = (2025, 7, 31)
+BUILD_DT = (2025, 8, 1)
 
 S_VERSION = ".".join(map(str, VERSION))
 S_BUILD_DT = "{0:04d}-{1:02d}-{2:02d}".format(*BUILD_DT)

docs/changelog.md

@@ -1,3 +1,81 @@
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2025-0731-0833  `v1.18.8`  sfx hotfix
+
+## 🩹 bugfixes
+
+* #354 fix `copyparty-sfx.py` failing to start on certain versions of python c17ce4892ecdb4e11437bc2785d132bd8100eaec
+
+
+
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2025-0730-2131  `v1.18.7`  SECURITY: fix another XSS
+
+## ⚠️ ATTN: this release fixes an XSS vulnerability
+
+[GHSA-8mx2-rjh8-q3jq](https://github.com/9001/copyparty/security/advisories/GHSA-8mx2-rjh8-q3jq), could let an attacker execute arbitrary JS by tricking you into clicking a malicious URL
+
+Soon there won't be many of these left, surely. Huge thanks to @Ju0x for finding and reporting this.
+
+## 🧪 new features
+
+* #265 uid/gid for new files can be configured per-volume f1959988
+  * has preconditions; [see readme](https://github.com/9001/copyparty#chmod-and-chown)
+* #212 add German translation (thx @rGunti, @Scotsguy, @chocolateimage) 9d32564c
+
+## 🩹 bugfixes
+
+* GHSA-8mx2-rjh8-q3jq a8705e61
+* #276 windows: fix segfault (thx @kernel1994 for debugging!) a9d07c63
+* #272 webdav: send disk-size and disk-free to clients 4988a55e
+* #285 use disk-free sans root-reserve on linux (thx @Arklaum!) c3cc2dde 
+* cors-check was funky on IPv6 e9684d40
+* #325 upgrade sharex example for newer versions 6016ec93
+* #300 restore support for old versions of python 2.7 b7ca6f4a
+
+## 🔧 other changes
+
+* shares: the config POST-target is now always the webroot (for ease of IdP configuration) fb7cbc42 
+* unlist: now applies to the navpane too fbf17be2
+* windows: show disk-usage as well, not just disk-free 5c6341e9
+* #228 nix-pkg improvements (thx @dtomvan!) 4915b14b
+* docker-compose: ensure logs appear in realtime 3cde1f3b
+* mention that IdP-volumes and users [can now be persisted](https://github.com/9001/copyparty/blob/hovudstraum/docs/idp.md#but-you-can-enable-idp-volume-persistence) 6069bc9b
+* #316 explain a scary-looking thing in the code 053de619
+
+
+
+▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
+# 2025-0728-2320  `v1.18.6`  reflink-dedup
+
+## 🧪 new features
+
+* #201 add support for reflink-based dedup on cow filesystems df9feabc
+  * combine `--dedup` with `--reflink` to enable, or volflags with same name
+  * a better and safer alternative to the other dedup approaches (symlink/hardlink), but only possible to use in some cases:
+    * needs linux 5.3 or newer, python 3.14 or newer, btrfs/xfs/zfs
+    * not available in the docker images yet; needs a new version of python, so maybe next alpine release (november/december 2025)
+* ratelimit password changes to impede bruteforcing a2601fd6
+  * limit is set by `--ban-pwc` (default is 5 changes in 60min)
+
+## 🩹 bugfixes
+
+* #240 nixos: fix unixgroups issue (thx @chinponya!) 7c9c962b
+* #246 cbz: use correct page for thumbnail (thx @Scotsguy!) 542a1de1
+
+## 🔧 other changes
+
+* volflag `nosub` now also prevents mkdir 0f2c6235
+* improve documentation:
+  * #229 use the same example UDS path everywhere cb019afe
+  * [example nginx config](https://github.com/9001/copyparty/blob/hovudstraum/contrib/nginx/copyparty.conf) had misleading cloudflare comment (thx @jmi2k!) 674fc1fe
+  * more readable `--help-chmod` 03d23dae
+  * #244 fix typo in `--help` 4f013f64
+* #242 hide "use real pw" on connectpage if no accounts (thx @toast003!) 025942a7
+* #211 docker: remove deprecated attribute (thx @ptweezy!) 5b98e104
+* #190 add the feature-showcase video to the readme (thx @RustoMCSpit!) 43e6da34
+
+
+
 ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀  
 # 2025-0727-2305  `v1.18.5`  SECURITY: fix XSS in media tags